Package: gettext Version: 0.19.8.1-4 msgunfmt crashes on the attached file:
$ zcat bad.mo.gz | msgunfmt *** Error in `msgunfmt': corrupted size vs. prev_size: 0x57b0abf0 *** ... Aborted Unhelpful backtrace: #0 0xf77b0dc9 in __kernel_vsyscall () #1 0xf6ffadd0 in __libc_signal_restore_set (set=0xffd55430) at ../sysdeps/unix/sysv/linux/nptl-signals.h:79 #2 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48 #3 0xf6ffc297 in __GI_abort () at abort.c:89 #4 0xf703638f in __libc_message (do_abort=<optimized out>, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:175 #5 0xf703cfc7 in malloc_printerr (action=<optimized out>, str=0xf712ccc6 "corrupted size vs. prev_size", ptr=<optimized out>, ar_ptr=0xf7182780 <main_arena>) at malloc.c:5049 #6 0xf703f4d5 in _int_malloc (av=av@entry=0xf7182780 <main_arena>, bytes=bytes@entry=220) at malloc.c:3765 #7 0xf7040bf5 in __GI___libc_malloc (bytes=220) at malloc.c:2928 #8 0xf771a28a in xmalloc (n=220) at xmalloc.c:65 #9 0xf7742d9f in message_alloc (msgctxt=0x56af0be8 "00\030\367\b*\030\367\340\v\257", <incomplete sequence \371>, msgid=0x56af0bf6 "", msgid_plural=0x56af0bf7 "", msgstr=0x56af20f8 '0' <repeats 13 times>, msgstr_len=2096, pp=0x565a8100 <pos>) at message.c:127 #10 0x565a2dc7 in read_mo_file (mlp=0x56af0098, filename=<optimized out>) at read-mo.c:390 #11 0x565a1b5a in read_one_file (filename=0x565a4875 "-", mlp=<optimized out>) at msgunfmt.c:555 #12 main (argc=<optimized out>, argv=<optimized out>) at msgunfmt.c:401 Found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/ -- System Information: Architecture: i386 Versions of packages gettext depends on: ii libc6 2.24-17 ii libcroco3 0.6.12-1 ii libglib2.0-0 2.54.0-1 ii libgomp1 7.2.0-6 ii libncurses5 6.0+20170902-1 ii libtinfo5 6.0+20170902-1 ii libunistring2 0.9.7-2 ii libxml2 2.9.4+dfsg1-4 ii gettext-base 0.19.8.1-4 ii dpkg 1.18.24 ii install-info 6.5.0.dfsg.1-1 -- Jakub Wilk
bad.mo.gz
Description: application/gzip
